Lecture 9 – Public-Key Encryption COSC-466 Applied Cryptography Adam O’Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Recall Symmetric-Key Crypto • In this setting, if Alice wants to communicate secure with Bob they need a shared key KAB. Recall Symmetric-Key Crypto • In this setting, if Alice wants to communicate secure with Bob they need a shared key KAB. • If Alice wants to also communicate with Charlie they need a shared key KAC. Recall Symmetric-Key Crypto • In this setting, if Alice wants to communicate secure with Bob they need a shared key KAB. • If Alice wants to also communicate with Charlie they need a shared key KAC. • If Alice generates KAB and KAC they must be communicated to Bob and Charlie over secure channels. How can this be done? Public-Key Crypto • Alice has a secret key that is shared with nobody, and a public key that is shared with everybody. Public-Key Crypto • Alice has a secret key that is shared with nobody, and a public key that is shared with everybody. • Anyone can use Alice’s public key to send her a private message. Public-Key Crypto • Alice has a secret key that is shared with nobody, and a public key that is shared with everybody. • Anyone can use Alice’s public key to send her a private message. • Public key is like a phone number: Anyone can look it up in a phone book. Public-Key Crypto • Alice has a secret key that is shared with nobody, and a public key that is shared with everybody. • Anyone can use Alice’s public key to send her a private message. • Public key is like a phone number: Anyone can look it up in a phone book. • Senders don’t need secrets; there are no shared secrets Public Key Encryption SyntaxSyntax and Correctness of PKE of PKE A public-key (or asymmetric) encryption scheme =( , , ) consists AE K E D of three algorithms, where Alice has a secret key that is shared with nobody, and an associated • pk public key that is known to everybody. K Anyone (Bob, Charlie, ...)canuseAlice’spublickeytosendheran • encrypted message which only she can decrypt. sk Think of the public key like a phone number that you can look up in a database Senders don’t need secrets • M CC M or There are no shared secrets • E D ? A Mihir Bellare UCSD 5 Mihir Bellare UCSD 6 Correct decryption requirement How it works Step 1: Key generation Let =( , , ) be an asymmetric encryption scheme. The correct $ AE K E D Alice locally computers (pk, sk) and stores sk. decryption requirement is that K Step 2: Alice enables any prospective sender to get pk. Pr[ (sk, (pk, M)) = M]=1 D E Step 3:Thesenderencryptsunderpk and Alice decrypts under sk. for all (pk, sk) that may be output by and all messages M in the We don’t require privacy of pk but we do require authenticity: the sender K message space of . The probability is over the random choices of . should be assured pk is really Alice’s key and not someone else’s. One AE E could This simply says that decryption correctly reverses encryption to recover Put public keys in a trusted but public “phone book”, say a the message that was encrypted. When we specify schemes, we indicate • what is the message space. cryptographic DNS. Use certificates as we will see later. • Mihir Bellare UCSD 7 Mihir Bellare UCSD 8 Code Obfuscation Perspective * Diffie÷i÷÷". Hellman PKI? Public Key Encryption Syntax of PKE A public-key (or asymmetric) encryption scheme =( , , ) consists AE K E D of three algorithms, where Alice has a secret key that is shared with nobody, and an associated • pk public key that is known to everybody. K Anyone (Bob, Charlie, ...)canuseAlice’spublickeytosendheran • encrypted message which only she can decrypt. sk Think of the public key like a phone number that you can look up in a database Senders don’t need secrets • M CC M or There are no shared secrets • E D ? A Mihir Bellare UCSD 5 Mihir Bellare UCSD 6 Correct decryption requirementCorrectness How it works Step 1: Key generation Let =( , , ) be an asymmetric encryption scheme. The correct $ AE K E D Alice locally computers (pk, sk) and stores sk. decryption requirement is that K Step 2: Alice enables any prospective sender to get pk. Pr[ (sk, (pk, M)) = M]=1 D E e Step 3:Thesenderencryptsunderpk and Alice decrypts under sk. for all (pk, sk) that may be output by and all messages M in the We don’t require privacy of pk but we do require authenticity: the sender K message space of . The probability is over the random choices of . should be assured pk is really Alice’s key and not someone else’s. One AE E could This simply says that decryption correctly reverses encryption to recover Put public keys in a trusted but public “phone book”, say a the message that was encrypted. When we specify schemes, we indicate • what is the message space. cryptographic DNS. Use certificates as we will see later. • Mihir Bellare UCSD 7 Mihir Bellare UCSD 8 Public Key Encryption Syntax of PKE A public-key (or asymmetric) encryption scheme =( , , ) consists AE K E D of three algorithms, where Alice has a secret key that is shared with nobody, and an associated • pk public key that is known to everybody. K Anyone (Bob, Charlie, ...)canuseAlice’spublickeytosendheran • encrypted message which only she can decrypt. sk Think of the public key like a phone number that you can look up in a database Senders don’t need secrets • M CC M or There are no shared secrets • E D ? A Mihir Bellare UCSD 5 Mihir Bellare UCSD 6 Correct decryption requirement How it works How It Works Step 1: Key generation Let =( , , ) be an asymmetric encryption scheme. The correct $ AE K E D Alice locally computers (pk, sk) and stores sk. decryption requirement is that K Step 2: Alice enables any prospective sender to get pk. Pr[ (sk, (pk, M)) = M]=1 D E Step 3:Thesenderencryptsunderpk and Alice decrypts under sk. for all (pk, sk) that may be output by and all messages M in the We don’t require privacy of pk but we do require authenticity: the sender K message space of . The probability is over the random choices of . should be assured pk is really Alice’s key and not someone else’s. One AE E could This simply says that decryption correctly reverses encryption to recover Put public keys in a trusted but public “phone book”, say a the message that was encrypted. When we specify schemes, we indicate • what is the message space. cryptographic DNS. Use certificates as we will see later. • Mihir Bellare UCSD 7 Mihir Bellare UCSD 8 The games for IND-CPAIND-CPA Let =( , , )beaPKEschemeandA an adversary. AE K E D Game Left Game Right AE AE procedure Initialize procedure Initialize (pk, sk) $ ; return pk (pk, sk) $ ; return pk K K procedure LR(M0, M1) procedure LR(M0, M1) Return C $ (M ) Return C $ (M ) Epk 0 Epk 1 Associated to , A are the probabilities AE Pr LeftA 1 Pr RightA 1 AE ) AE ) h i h i that A outputs 1 in each world. The ind-cpa advantage of A is Advind-cpa(A)=Pr RightA 1 Pr LeftA 1 AE AE ) − AE ) h i h i Mihir Bellare UCSD 9 Problem: Legitimate receiver needs to compute discrete logarithm to decrypt too! But decryption needs to be feasible. Above, receiver has no secret key! Security of PKE Schemes The games for IND-CPA Let =( , , )beaPKEschemeandA an adversary. AE K E D Game Left Game Right AE AE procedure Initialize procedure Initialize (pk, sk) $ ; return pk (pk, sk) $ ; return pk Same as for symmetric encryption, except for one new element: The K K procedure LR(M0, M1) procedure LR(M0, M1) adversary needs to be given the public key. $ $ Return C pk (M0) Return C pk (M1) We formalize IND-CPA accordingly. E E Associated to , A are the probabilities AE Pr LeftA 1 Pr RightA 1 AE ) AE ) h i h i that A outputs 1 in each world. The ind-cpa advantage of A is Advind-cpa(A)=Pr RightA 1 Pr LeftA 1 AE AE ) − AE ) h i h i Mihir Bellare UCSD 9 Mihir Bellare UCSD 10 IND-CPA: Explanations Building a PKE Scheme Explanations We would like security to result from the hardness of computing discrete logarithms. The “return pk” statement in Initialize means the adversary A gets the public key pk as input. It does not get sk. Let the receiver’s public key be g where G = g is a cyclic group. Let’s h i let the encryption of x be g x .Then It can call LR with any equal-length messages M0, M1 of its choice to get $ back an encryption C (M ) of M under sk,whereb = 0 in game x hard Epk b b g x Left and b = 1 in game Right . Notation indicates encryption ! AE AE g (x) algorithm may be randomized. E |{z} A is not allowed to call LR with messages M0, M1 of unequal length. Any so to recover x, adversary must compute discrete logarithms, and we know such A is considered invalid and its advantage is undefined or 0. it can’t, so are we done? It outputs a bit, and wins if this bit equals b. Mihir Bellare UCSD 11 Mihir Bellare UCSD 12 Building aHow to Build a Scheme? PKE Scheme Recall DH Secret Key Exchange We would like security to result from the hardness of computing discrete The following are assumed to be public: A large prime p and a generator g logarithms.